LetsDefend Challenge DFIR: Memory Analysis

• What was the date and time when Memory from the compromised endpoint was acquired?
• What was the suspicious process running on the system? (Format : name.extension)
• Analyze and find the malicious tool running on the system by the attacker (Format name.extension)
• Which User Account was compromised? Format (DomainName/USERNAME)
• What is the compromised user password?

volatility2より，volatility3の方がインストールしやすいし使いやすいことに気付いてからはvolatility3を使っている．
Volatility - CheatSheet - HackTricks

What was the date and time when Memory from the compromised endpoint was acquired?

Answer: 2022-07-26 18:16:32

What was the suspicious process running on the system? (Format : name.extension)

SANSが公開しているWindowsの基本的なプロセスのポスターを眺めながら取り組んでいた．
Hunt Evil | SANS Poster
vol -f dump.mem windows.pslistで表示したもの↓

"lsass.exe"が怪しい．
Answer: lsass.exe

Analyze and find the malicious tool running on the system by the attacker (Format name.extension)

怪しいlsass.exeをvol -f dump.mem windows.pslit --pid 7592 --dumpでダンプする．
出てきたファイルのハッシュを検索すると，
https://www.virustotal.com/gui/file/ac87ce8b5902643dfedf4c3c02b91d7e06743e0bc2f3f87b0a4fbdd6ad111670

Answer: winPEAS.exe

Which User Account was compromised? Format (DomainName/USERNAME)

vol3ではプロセスの環境変数を表示できる
vol -f dump.mem windows.envars --pid 7592 | grep USERを実行

Answer: MSEDGEWIN10/CyberJunkie

What is the compromised user password?

volatility2のときは，SAMとSECURITYのアドレスを確認してから，そのアドレスをvolのコマンドに渡すことで表示していたがそれが一発でできるようになったよう．

ここで見つけたCyberJunkieのハッシュをcrackstationに投げる．

Answer: password123